<!DOCTYPE html>
<html lang="en-US">
<head>
	<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
	<link rel="pingback" href="https://csirt.egi.eu/xmlrpc.php" />

	<script type="text/javascript">
		document.documentElement.className = 'js';
	</script>

	<script>var et_site_url='https://csirt.egi.eu';var et_post_id='1379';function et_core_page_resource_fallback(a,b){"undefined"===typeof b&&(b=a.sheet.cssRules&&0===a.sheet.cssRules.length);b&&(a.onerror=null,a.onload=null,a.href?a.href=et_site_url+"/?et_core_page_resource="+a.id+et_post_id:a.src&&(a.src=et_site_url+"/?et_core_page_resource="+a.id+et_post_id))}
</script><title>Attacks on multiple HPC sites | EGI CSIRT</title>
<link rel='dns-prefetch' href='//csirt.splet.arnes.si' />
<link rel='dns-prefetch' href='//fonts.googleapis.com' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel="alternate" type="application/rss+xml" title="EGI CSIRT &raquo; Feed" href="https://csirt.egi.eu/feed/" />
<link rel="alternate" type="application/rss+xml" title="EGI CSIRT &raquo; Comments Feed" href="https://csirt.egi.eu/comments/feed/" />
		<script type="text/javascript">
			window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/csirt.egi.eu\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.4.2"}};
			/*! This file is auto-generated */
			!function(e,a,t){var r,n,o,i,p=a.createElement("canvas"),s=p.getContext&&p.getContext("2d");function c(e,t){var a=String.fromCharCode;s.clearRect(0,0,p.width,p.height),s.fillText(a.apply(this,e),0,0);var r=p.toDataURL();return s.clearRect(0,0,p.width,p.height),s.fillText(a.apply(this,t),0,0),r===p.toDataURL()}function l(e){if(!s||!s.fillText)return!1;switch(s.textBaseline="top",s.font="600 32px Arial",e){case"flag":return!c([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])&&(!c([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!c([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]));case"emoji":return!c([55357,56424,55356,57342,8205,55358,56605,8205,55357,56424,55356,57340],[55357,56424,55356,57342,8203,55358,56605,8203,55357,56424,55356,57340])}return!1}function d(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(i=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},o=0;o<i.length;o++)t.supports[i[o]]=l(i[o]),t.supports.everything=t.supports.everything&&t.supports[i[o]],"flag"!==i[o]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[i[o]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(r=t.source||{}).concatemoji?d(r.concatemoji):r.wpemoji&&r.twemoji&&(d(r.twemoji),d(r.wpemoji)))}(window,document,window._wpemojiSettings);
		</script>
		<meta content="Divi v.4.7.3" name="generator"/><style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 .07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='wp-block-library-css'  href='https://csirt.egi.eu/wp-includes/css/dist/block-library/style.min.css?ver=5.4.2' type='text/css' media='all' />
<link rel='stylesheet' id='cookielawinfo-style-css'  href='https://csirt.splet.arnes.si/wp-content/plugins/cookie-law-info/css/cli-style.css?ver=5.4.2' type='text/css' media='all' />
<link rel='stylesheet' id='divi-fonts-css'  href='https://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,800italic,400,300,600,700,800&#038;subset=latin,latin-ext&#038;display=swap' type='text/css' media='all' />
<link rel='stylesheet' id='divi-style-css'  href='https://csirt.egi.eu/wp-content/themes/Divi/style.css?ver=4.7.3' type='text/css' media='all' />
<link rel='stylesheet' id='dashicons-css'  href='https://csirt.egi.eu/wp-includes/css/dashicons.min.css?ver=5.4.2' type='text/css' media='all' />
<script type='text/javascript' src='https://csirt.egi.eu/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp'></script>
<script type='text/javascript' src='https://csirt.egi.eu/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1'></script>
<script type='text/javascript' src='https://csirt.splet.arnes.si/wp-content/plugins/cookie-law-info/js/jquery.cookie.js?ver=5.4.2'></script>
<script type='text/javascript' src='https://csirt.splet.arnes.si/wp-content/plugins/cookie-law-info/js/cookielawinfo.js?ver=5.4.2'></script>
<link rel='https://api.w.org/' href='https://csirt.egi.eu/wp-json/' />
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://csirt.egi.eu/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://csirt.egi.eu/wp-includes/wlwmanifest.xml" /> 
<meta name="generator" content="WordPress 5.4.2" />
<link rel="canonical" href="https://csirt.egi.eu/attacks-on-multiple-hpc-sites/" />
<link rel='shortlink' href='https://csirt.egi.eu/?p=1379' />
<link rel="alternate" type="application/json+oembed" href="https://csirt.egi.eu/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fcsirt.egi.eu%2Fattacks-on-multiple-hpc-sites%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://csirt.egi.eu/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fcsirt.egi.eu%2Fattacks-on-multiple-hpc-sites%2F&#038;format=xml" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" /><link rel="icon" href="https://csirt.egi.eu/files/2020/04/cropped-csirt-favicon-32x32.png" sizes="32x32" />
<link rel="icon" href="https://csirt.egi.eu/files/2020/04/cropped-csirt-favicon-192x192.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://csirt.egi.eu/files/2020/04/cropped-csirt-favicon-180x180.png" />
<meta name="msapplication-TileImage" content="https://csirt.egi.eu/files/2020/04/cropped-csirt-favicon-270x270.png" />
<link rel="stylesheet" id="et-divi-customizer-global-cached-inline-styles" href="https://csirt.splet.arnes.si/wp-content/et-cache/1/10725/global/et-divi-customizer-global-16392982997684.min.css" onerror="et_core_page_resource_fallback(this, true)" onload="et_core_page_resource_fallback(this)" /></head>
<body class="page-template-default page page-id-1379 et_pb_button_helper_class et_fixed_nav et_show_nav et_primary_nav_dropdown_animation_fade et_secondary_nav_dropdown_animation_fade et_header_style_left et_pb_footer_columns4 et_cover_background et_pb_gutter et_pb_gutters3 et_right_sidebar et_divi_theme et-db et_minified_js et_minified_css">
	<div id="page-container">

	
	
			<header id="main-header" data-height-onload="67">
			<div class="container clearfix et_menu_container">
							<div class="logo_container">
					<span class="logo_helper"></span>
					<a href="https://csirt.egi.eu/">
						<img src="/files/2016/10/EGI-CSIRT-logo.png" alt="EGI CSIRT" id="logo" data-height-percentage="100" />
					</a>
				</div>
							<div id="et-top-navigation" data-height="67" data-fixed-height="40">
											<nav id="top-menu-nav">
						<ul id="top-menu" class="nav"><li id="menu-item-67" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-67"><a href="https://csirt.egi.eu/">Home</a></li>
<li id="menu-item-127" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-127"><a href="https://csirt.egi.eu/activities/">Activities</a></li>
<li id="menu-item-293" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-293"><a href="https://csirt.egi.eu/materials/">Materials</a></li>
<li id="menu-item-777" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-777"><a href="https://csirt.egi.eu/trainings/">Trainings</a></li>
<li id="menu-item-68" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-68"><a href="https://csirt.egi.eu/home/contacts/">Contacts</a></li>
<li id="menu-item-705" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-705"><a href="https://csirt.egi.eu/news/">News</a></li>
<li id="menu-item-128" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-128"><a href="https://csirt.egi.eu/about/">About</a></li>
</ul>						</nav>
					
					
					
										<div id="et_top_search">
						<span id="et_search_icon"></span>
					</div>
					
					<div id="et_mobile_nav_menu">
				<div class="mobile_nav closed">
					<span class="select_page">Select Page</span>
					<span class="mobile_menu_bar mobile_menu_bar_toggle"></span>
				</div>
			</div>				</div> <!-- #et-top-navigation -->
			</div> <!-- .container -->
			<div class="et_search_outer">
				<div class="container et_search_form_container">
					<form role="search" method="get" class="et-search-form" action="https://csirt.egi.eu/">
					<input type="search" class="et-search-field" placeholder="Search &hellip;" value="" name="s" title="Search for:" />					</form>
					<span class="et_close_search_field"></span>
				</div>
			</div>
		</header> <!-- #main-header -->
			<div id="et-main-area">
	
<div id="main-content">


	<div class="container">
		<div id="content-area" class="clearfix">
			<div id="left-area">


			
				<article id="post-1379" class="post-1379 page type-page status-publish hentry">

				
					<h1 class="entry-title main_title">Attacks on multiple HPC sites</h1>
				
				
					<div class="entry-content">
					
<p><strong>[TLP:WHITE]</strong></p>



<p><strong>This page covers ongoing attacks. As the TLP:GREEN nature of this link was breached and it can only be considered TLP:WHITE now, this page may not be updated anymore, except for TLP:WHITE data (last update: 2020-05-18 11:00:00). For more information regarding ongoing investigations and cooperation possibilities, please contact irtf@mailman.egi directly.</strong></p>



<p>EGI and its supporting organisations deeply care about their international partners and peer infrastructures, and although so far there is no operational impact on EGI, the EGI CSIRT strongly believes in protecting the community and is actively supporting and coordinating the response to the current security incidents affecting the academic and research sector.</p>



<p><strong>This page covers **TWO** security incidents that may or may not be correlated.</strong></p>



<h1 id="Summary"><strong>Incident #EGI20200421</strong></h1>



<h2><strong>Summary</strong></h2>



<p>A malicious group is currently targeting academic data centers for CPU mining purposes. The attacker is hopping from one victim to another using compromised SSH credentials.</p>



<p>The compromised hosts are turned into different roles, including:</p>



<ul><li><strong>XMR mining hosts (running a hidden XMR binary)</strong></li><li><strong>XMR-proxy hosts</strong> ; The attacker uses these hosts from the XMR mining hosts, to connect to other XMR-proxy hosts and eventually to the actual mining server.</li><li><strong>SOCKS proxy hosts (running a microSOCKS instance on a high port)</strong> ; The attacker connects to these hosts via SSH, often from Tor. MicroSOCKS is used from Tor as well.</li><li><strong>Tunnel hosts (SSH tunneling)</strong> ; The attacker connects via SSH (compromised account) and configure NAT PREROUTING (typically to access private IP spaces).</li></ul>



<p>Key points:</p>



<ul><li>Connections to the SOCKS proxy hosts are typically done via TOR or compromised hosts.</li><li>The attackers uses different techniques to hide the malicious activity, including a malicious Linux Kernel Module (<a href="https://github.com/m0nad/Diamorphine" target="_blank" rel="noreferrer noopener">https://github.com/m0nad/Diamorphine</a>).</li><li>It is not fully understood how SSH credentials are stolen, although some (but not all) victims have discovered compromised SSH binaries.</li><li>At least in one case, the malicious XMR activity is configured (CRON) to operate only during night times to avoid detection.</li><li>There are victims in China, Europe and North America.</li></ul>



<h2><strong>Indicators of compromise</strong></h2>



<h3><strong>Network based</strong></h3>



<figure class="wp-block-table"><table><thead><tr><th>IP</th><th>Comment</th><th>Role in attack</th></tr></thead><tbody><tr><td>91.196.70.109</td><td>XMR mining server</td><td>Coordinate the XMR activity</td></tr><tr><td>149.156.26.227</td><td>Victim server andromeda.up.krakow.pl</td><td>Malicious IP used for SSH logins + running SOCKS proxy</td></tr><tr><td>149.156.26.56</td><td>Victim server vega.up.krakow.pl</td><td>Malicious IP used for SSH logins + running SOCKS proxy</td></tr><tr><td>142.150.255.49</td><td>Victim desktop UTORONTO</td><td>Source for attack on .ca hosts</td></tr><tr><td>159.226.234.29</td><td>Victim server at CAS, China</td><td>Malicious IP used for SSH logins + running SOCKS proxy</td></tr></tbody></table></figure>



<p>TOR hosts (SOCKS proxy users):</p>



<pre class="wp-block-code"><code>51.77.135.89 (also used for malicious SSH logins)
51.15.177.65
51.75.52.118
51.75.144.43
51.79.53.139
51.79.86.181
212.83.166.62</code></pre>



<p>Additional hosts suspected to be involved, as they were found using the SOCKS proxy on a compromised host:</p>



<pre class="wp-block-code"><code>159.226.88.110 (CSNET, China. TCP/44300 access from krakow.pl): Being investigated by CSTCERT
159.226.62.107 (CSNET, China. HTTPS access from krakow.pl): Compromised (XMR mining) and reinstaled by the admin ~2020-05-08 
159.226.170.127 (CSNET, China. TCP/21 access from krakow.pl): Being investigated by CSTCERT
132.230.222.12 (Uni-Freiburg. SSH access from krakow.pl): Investigated (malicious SSH binaries found) (not clear if they are involved in this or just 20200512)
192.154.2.203 (UCLA, USA. SSH access from krakow.pl): Notified.
129.49.37.67 (SUNYSB, USA. Access from a SOCKS proxy): Notified.
129.49.170.118 (SUNYSB, USA. Access from a SOCKS proxy): NOT Notified</code></pre>



<p>Example:</p>



<pre class="wp-block-code"><code>client&#091;4] 51.75.52.118: connected to 159.226.88.110:44300
client&#091;4] 51.75.52.118: connected to 132.230.222.12:22
client&#091;11] 51.75.144.43: connected to 159.226.170.127:21
client&#091;6] 51.75.144.43: connected to 159.226.88.110:44300</code></pre>



<p>It is helpful to also check all existing connections (<code>lsof</code>) and NAT configurations (<code>iptables</code>).</p>



<h3><strong>Filesystem</strong></h3>



<h4>XMR mining, LKM and host configuration</h4>



<ul><li>Check for Linux Kernel Modules:</li></ul>



<p>Run <code>kill -63 $(random pid)</code> followed by <code>lsmod</code>, then search for modules with names like: <code>diamorphine</code>, <code>scsi</code>, <code>iscsi</code>, <code>readaps</code></p>



<ul><li>Check the content of <code>/etc/cron.hourly/0anacron</code></li><li>Check for the following files:</li></ul>



<pre class="wp-block-code"><code>/home/*/.mozilla/xdm
/tmp/.dbs* 
/tmp/.lock
/tmp/aes.tgz
/tmp/db.tgz 
/tmp/dbsyn* 
/tmp/reserved
/tmp/systemdb 
/tmp/updatedb
/tmp/check_power
/tmp/hdshare
/tmp/readps
/usr/bin/on_ac_power (if different from packaged version)
/usr/lib/libocs.so 
/usr/lib64/.lib/l64
/usr/share/aldi.so
/usr/share/sos/rh.pub (if different from packaged version)
/var/tmp/.lock
/var/tmp/.lock/clogs 
/var/tmp/.lock/cpa.h 
/var/tmp/.lock/ologs 
/wlcg/arc-ce1/cache/.cache
</code></pre>



<h1 id="Possible-related-intrusion"><strong>Incident #EGI2020512</strong></h1>



<h2><strong>Summary</strong></h2>



<p>A malicious group is currently targeting academic data centers for unknown purpose.</p>



<p>The attacker is hopping from one victim to another using compromised SSH credentials.</p>



<h2><strong>Indicators of compromise</strong></h2>



<h3>Network based</h3>



<figure class="wp-block-table"><table><thead><tr><th>IP</th><th>Comment</th><th>Role in attack</th></tr></thead><tbody><tr><td>149.156.26.227</td><td>Andromeda.up.krakow.pl (host now cleaned)</td><td>IP used for SSH logins</td></tr><tr><td>202.120.32.231</td><td>Shanghai Jiaotong University</td><td>IP used for SSH logins</td></tr><tr><td>202.120.58.243</td><td>Shanghai Jiaotong University</td><td>IP used for SSH logins</td></tr><tr><td>202.120.58.244</td><td>Shanghai Jiaotong University</td><td>IP used for SSH logins</td></tr><tr><td>2001:da8:8000:6300::/64</td><td>Shanghai Jiaotong University (?)</td><td>IP used for SSH logins</td></tr><tr><td>159.226.161.107</td><td>CSTNET, China</td><td>IP used for SSH logins</td></tr><tr><td>159.226.234.29</td><td>CSTNET, China</td><td>IP used for SSH logins</td></tr></tbody></table></figure>



<p>It is helpful to also check all existing connections (<code>lsof</code>) and NAT configurations (<code>iptables</code>).</p>



<h3><strong>Filesystem</strong></h3>



<p>Check for the following files:</p>



<pre class="wp-block-code"><code>/apps/.ior/read/.terma
/apps/.ior/read/.termb
/etc/fonts/.fonts (suid binary for privileged escalation (contains `setgid(0);setuid(0);execl('/bin/bash/', {'bash', NULL}, NULL)`)
/etc/fonts/.low (Log cleaner, capable of removing logs and entries matching specific users (during some time period) in most log files)
/etc/terminfo/.terma
/etc/terminfo/.termb
$HOME/.mozilla/plugins/.fonts
$HOME/.mozilla/plugins/.low
$HOME/.mozilla/plugins/.aa
$HOME/.mozilla/plugins/test
/usr/lib64/.lib/l64
/var/games/.terma
/var/games/.termb</code></pre>



<h2 id="Contact"><strong>Contact</strong></h2>



<p>If you have any additional information or any match at your site, please contact EGI CSIRT at <a href="mailto:irtf@mailman.egi.eu">irtf@mailman.egi.eu</a><br><strong>In case of TLP:RED data</strong>, use GPG: A97F 3BDD F0EE 01A1 176C C13A 93BF 7F91 5696 F750</p>



<div class="wp-block-image"><figure class="alignleft"><a href="https://csirt.egi.eu/files/2016/10/EGI-CSIRT-logo.png"><img src="https://csirt.egi.eu/files/2016/10/EGI-CSIRT-logo-150x150.png" alt="" class="wp-image-823" srcset="https://csirt.egi.eu/files/2016/10/EGI-CSIRT-logo-150x150.png 150w, https://csirt.egi.eu/files/2016/10/EGI-CSIRT-logo-300x300.png 300w, https://csirt.egi.eu/files/2016/10/EGI-CSIRT-logo-768x768.png 768w, https://csirt.egi.eu/files/2016/10/EGI-CSIRT-logo-1024x1024.png 1024w, https://csirt.egi.eu/files/2016/10/EGI-CSIRT-logo-1080x1080.png 1080w" sizes="(max-width: 150px) 100vw, 150px" /></a></figure></div>



<div class="wp-block-image"><figure class="alignleft"><a href="https://csirt.egi.eu/files/2016/10/TI-Certified.png"><img src="https://csirt.egi.eu/files/2016/10/TI-Certified.png" alt="" class="wp-image-53" /></a></figure></div>
					</div> <!-- .entry-content -->

				
				</article> <!-- .et_pb_post -->

			

			</div> <!-- #left-area -->

				<div id="sidebar">
		<div id="search-2" class="et_pb_widget widget_search"><form role="search" method="get" id="searchform" class="searchform" action="https://csirt.egi.eu/">
				<div>
					<label class="screen-reader-text" for="s">Search for:</label>
					<input type="text" value="" name="s" id="s" />
					<input type="submit" id="searchsubmit" value="Search" />
				</div>
			</form></div> <!-- end .et_pb_widget --><div id="recent-comments-2" class="et_pb_widget widget_recent_comments"><h4 class="widgettitle">Recent Comments</h4><ul id="recentcomments"></ul></div> <!-- end .et_pb_widget --><div id="archives-2" class="et_pb_widget widget_archive"><h4 class="widgettitle">Archives</h4>		<ul>
				<li><a href='https://csirt.egi.eu/2021/12/'>December 2021</a></li>
	<li><a href='https://csirt.egi.eu/2021/11/'>November 2021</a></li>
	<li><a href='https://csirt.egi.eu/2021/10/'>October 2021</a></li>
	<li><a href='https://csirt.egi.eu/2021/09/'>September 2021</a></li>
	<li><a href='https://csirt.egi.eu/2021/07/'>July 2021</a></li>
	<li><a href='https://csirt.egi.eu/2021/06/'>June 2021</a></li>
	<li><a href='https://csirt.egi.eu/2021/05/'>May 2021</a></li>
	<li><a href='https://csirt.egi.eu/2021/04/'>April 2021</a></li>
	<li><a href='https://csirt.egi.eu/2021/03/'>March 2021</a></li>
	<li><a href='https://csirt.egi.eu/2021/02/'>February 2021</a></li>
	<li><a href='https://csirt.egi.eu/2021/01/'>January 2021</a></li>
	<li><a href='https://csirt.egi.eu/2020/11/'>November 2020</a></li>
	<li><a href='https://csirt.egi.eu/2020/10/'>October 2020</a></li>
	<li><a href='https://csirt.egi.eu/2020/09/'>September 2020</a></li>
	<li><a href='https://csirt.egi.eu/2020/08/'>August 2020</a></li>
	<li><a href='https://csirt.egi.eu/2020/07/'>July 2020</a></li>
	<li><a href='https://csirt.egi.eu/2020/05/'>May 2020</a></li>
	<li><a href='https://csirt.egi.eu/2020/03/'>March 2020</a></li>
	<li><a href='https://csirt.egi.eu/2020/02/'>February 2020</a></li>
	<li><a href='https://csirt.egi.eu/2019/12/'>December 2019</a></li>
	<li><a href='https://csirt.egi.eu/2019/10/'>October 2019</a></li>
	<li><a href='https://csirt.egi.eu/2019/09/'>September 2019</a></li>
	<li><a href='https://csirt.egi.eu/2019/08/'>August 2019</a></li>
	<li><a href='https://csirt.egi.eu/2019/07/'>July 2019</a></li>
	<li><a href='https://csirt.egi.eu/2019/06/'>June 2019</a></li>
	<li><a href='https://csirt.egi.eu/2019/05/'>May 2019</a></li>
	<li><a href='https://csirt.egi.eu/2019/04/'>April 2019</a></li>
	<li><a href='https://csirt.egi.eu/2019/03/'>March 2019</a></li>
		</ul>
			</div> <!-- end .et_pb_widget --><div id="categories-2" class="et_pb_widget widget_categories"><h4 class="widgettitle">Categories</h4>		<ul>
				<li class="cat-item cat-item-30"><a href="https://csirt.egi.eu/category/advisories/">Advisories</a>
</li>
	<li class="cat-item cat-item-29"><a href="https://csirt.egi.eu/category/incident-reports/">Incident Reports</a>
</li>
	<li class="cat-item cat-item-25"><a href="https://csirt.egi.eu/category/knowledgebase/">Knowledgebase</a>
</li>
	<li class="cat-item cat-item-21"><a href="https://csirt.egi.eu/category/news/">News</a>
</li>
	<li class="cat-item cat-item-27"><a href="https://csirt.egi.eu/category/recommendations/">Recommendations</a>
</li>
	<li class="cat-item cat-item-23"><a href="https://csirt.egi.eu/category/trainings/">Trainings</a>
</li>
		</ul>
			</div> <!-- end .et_pb_widget --><div id="meta-2" class="et_pb_widget widget_meta"><h4 class="widgettitle">Meta</h4>			<ul>
						<li><a href="https://csirt.egi.eu/wp-login.php">Log in</a></li>
			<li><a href="https://csirt.egi.eu/feed/">Entries feed</a></li>
			<li><a href="https://csirt.egi.eu/comments/feed/">Comments feed</a></li>
			<li><a href="https://wordpress.org/">WordPress.org</a></li>			</ul>
			</div> <!-- end .et_pb_widget -->	</div> <!-- end #sidebar -->
		</div> <!-- #content-area -->
	</div> <!-- .container -->


</div> <!-- #main-content -->


			<footer id="main-footer">
				

		
				<div id="footer-bottom">
					<div class="container clearfix">
				<p id="footer-info">Designed by <a href="http://www.elegantthemes.com" title="Premium WordPress Themes">Elegant Themes</a> | Powered by <a href="http://www.wordpress.org">WordPress</a></p>					</div>	<!-- .container -->
				</div>
			</footer> <!-- #main-footer -->
		</div> <!-- #et-main-area -->


	</div> <!-- #page-container -->

			
		<script type="text/javascript">
			//<![CDATA[
			jQuery(document).ready(function() {
				var a = '<div id="cookie-law-info-bar"><span>This site uses cookies Piwik which allow us to anonymously collect information about the use of the website to improve user experience. By continuing to browse the site, you are agreeing to our use of cookies.<br /><a href=\"#\" id=\"cookie_action_close_header\"  class=\"medium cli-plugin-button cli-plugin-main-button\" >O.K.</a> <a href=\"https://splet.arnes.si/privacy-policy/\" id=\"CONSTANT_OPEN_URL\" target=\"_new\"  class=\"cli-plugin-main-link\"  >Details</a></span></div><div id="cookie-law-info-again"><span id="cookie_hdr_showagain">Cookies</span></div>';
				var b = '{"animate_speed_hide":"500","animate_speed_show":"500","background":"#fff","border":"#EC7F43","border_on":true,"button_1_button_colour":"#ec7F43","button_1_button_hover":"#bd6636","button_1_link_colour":"#fff","button_1_as_button":true,"button_2_button_colour":"#F07D3E","button_2_button_hover":"#c06432","button_2_link_colour":"#F07D3E","button_2_as_button":false,"font_family":"inherit","notify_animate_hide":true,"notify_animate_show":true,"notify_div_id":"#cookie-law-info-bar","notify_position_horizontal":"right","notify_position_vertical":"bottom","showagain_tab":true,"showagain_background":"#fff","showagain_border":"#000","showagain_div_id":"#cookie-law-info-again","showagain_x_position":"100px","text":"#000","show_once_yn":false,"show_once":"10000"}';
				cli_show_cookiebar(a,b);
				
							});
			//]]>
		</script>
		
		<!--
<p style="text-align:center" class="yd_linkware"><small><a href="http://www.yann.com/en/wp-plugins/yd-wpmu-sitewide-options">Network-wide options by YD - Freelance Wordpress Developer</a></small></p>
--><!-- Matomo -->
<script type="text/javascript">
  var _paq = window._paq || [];
  /* tracker methods like "setCustomDimension" should be called before "trackPageView" */
  _paq.push(['trackPageView']);
  _paq.push(['enableLinkTracking']);
  (function() {
    var u="https://analitika.arnes.si/";
    _paq.push(['setTrackerUrl', u+'piwik.php']);
    _paq.push(['setSiteId', '10026']);
    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
    g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
  })();
</script>
<!-- End Matomo Code -->
<script type='text/javascript'>
/* <![CDATA[ */
var DIVI = {"item_count":"%d Item","items_count":"%d Items"};
var et_shortcodes_strings = {"previous":"Previous","next":"Next"};
var et_pb_custom = {"ajaxurl":"https:\/\/csirt.egi.eu\/wp-admin\/admin-ajax.php","images_uri":"https:\/\/csirt.egi.eu\/wp-content\/themes\/Divi\/images","builder_images_uri":"https:\/\/csirt.egi.eu\/wp-content\/themes\/Divi\/includes\/builder\/images","et_frontend_nonce":"96b3af5ad8","subscription_failed":"Please, check the fields below to make sure you entered the correct information.","et_ab_log_nonce":"c2fcd2725d","fill_message":"Please, fill in the following fields:","contact_error_message":"Please, fix the following errors:","invalid":"Invalid email","captcha":"Captcha","prev":"Prev","previous":"Previous","next":"Next","wrong_captcha":"You entered the wrong number in captcha.","wrong_checkbox":"Checkbox","ignore_waypoints":"no","is_divi_theme_used":"1","widget_search_selector":".widget_search","ab_tests":[],"is_ab_testing_active":"","page_id":"1379","unique_test_id":"","ab_bounce_rate":"5","is_cache_plugin_active":"no","is_shortcode_tracking":"","tinymce_uri":""}; var et_builder_utils_params = {"condition":{"diviTheme":true,"extraTheme":false},"scrollLocations":["app","top"],"builderScrollLocations":{"desktop":"app","tablet":"app","phone":"app"},"onloadScrollLocation":"app","builderType":"fe"}; var et_frontend_scripts = {"builderCssContainerPrefix":"#et-boc","builderCssLayoutPrefix":"#et-boc .et-l"};
var et_pb_box_shadow_elements = [];
var et_pb_motion_elements = {"desktop":[],"tablet":[],"phone":[]};
var et_pb_sticky_elements = [];
/* ]]> */
</script>
<script type='text/javascript' src='https://csirt.egi.eu/wp-content/themes/Divi/js/custom.unified.js?ver=4.7.3'></script>
<script type='text/javascript' src='https://csirt.egi.eu/wp-content/themes/Divi/core/admin/js/common.js?ver=4.7.3'></script>
<script type='text/javascript' src='https://csirt.egi.eu/wp-includes/js/wp-embed.min.js?ver=5.4.2'></script>
</body>
</html>
